For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 09, 2016

If you attempt to use SSL Forward Proxy features without the license, it will surely fail.

 

At a minimum, if you remove the TCP ingress VIP and just leave the proxy VIP, you should be able to do outbound HTTP (HTTPS should fail with a 503). If that works, create the ingress TCP VIP with the following minimum properties (leave everything else at default):

 

  • Type: Standard
  • Destination Address/Mask: 0.0.0.0/0
  • Service Port: 443
  • VLAN and Tunnel Traffic: Enabled on the tunnel VLAN
  • Source Address Translation: SNAT if you need it for outbound traffic
  • Address and port translation: unchecked

In this case you're just creating a tunnel to allow HTTPS traffic to pass, without attempting to decrypt. Again, without the license it will definitely fail if you apply SSL profiles.